Provided by: strongswan-starter_5.1.2-0ubuntu2.11_amd64 bug

NAME

       ipsec_openac - Generation of X.509 attribute certificates

SYNOPSIS

       ipsec openac [ --help ] [ --version ] [ --optionsfrom filename ]
          [ --quiet ] [ --debug level ]
          [ --days days ] [ --hours hours ]
          [ --startdate YYYYMMDDHHMMSSZ ] [ --stopdate YYYYMMDDHHMMSSZ ]
          --cert certfile --key keyfile [ --password password ]
          --usercert certfile --groups attr1,attr2,...  --out filename

DESCRIPTION

       openac  is  intended  to  be  used by an Authorization Authority (AA) to generate and sign
       X.509 attribute certificates. Currently only  the  inclusion  of  one  ore  several  group
       attributes  is  supported. An attribute certificate is linked to a holder by including the
       issuer and serial number of the holder's X.509 certificate.

OPTIONS

       --help display the usage message.

       --version
              display the version of openac.

       --optionsfrom filename
              adds the contents of the file to the argument list.  If filename is a relative path
              then the file is searched in the directory /etc/openac.

       --quiet
              By  default  openac  logs  all  control output both to syslog and stderr.  With the
              --quiet option no output is written to stderr.

       --days days
              Validity of the X.509 attribute certificate in days. If neiter the  --days nor  the
              --hours option  is  specified then a default validity interval of 1 day is assumed.
              The --days option can be combined with the --hours option.

       --hours hours
              Validity of the X.509 attribute certificate in hours. If neiter the --hours nor the
              --days option is specified then a default validity interval of 24 hours is assumed.
              The --hours option can be combined with the --days option.

       --startdate YYYYMMDDHHMMSSZ
              defines the notBefore date when the X.509 attribute certificate becomes valid.  The
              date  YYYYMMDDHHMMSS  must  be  specified  in  UTC (Zulu time).  If the --startdate
              option is not specified then the current date is taken as a default.

       --stopdate YYYYMMDDHHMMSSZ
              defines the notAfter date when the X.509 attribute certificate  will  expire.   The
              date YYYYMMDDHHMMSS must be specified in UTC (Zulu time).  If the --stopdate option
              is not specified then the default notAfter value is computed by adding the validity
              interval specified by the --days and/or --days options to the notBefore date.

       --cert certfile
              specifies the file containing the X.509 certificate of the Authorization Authority.
              The certificate is stored either in PEM or DER format.

       --key keyfile
              specifies the encrypted file containing the private RSA key of  the  Authoritzation
              Authority. The private key is stored in PKCS#1 format.

       --password password
              specifies  the  password  with  which  the private RSA keyfile defined by the --key
              option has been protected. If the option is missing then the password  is  prompted
              for on the command line.

       --usercert certfile
              specifies  file containing the X.509 certificate of the user to which the generated
              attribute certificate will apply. The certificate file is stored either in  PEM  or
              DER format.

       --groups attr1,attr2
              specifies  a  comma-separated  list of group attributes that will go into the X.509
              attribute certificate.

       --out filename
              specifies the file where the generated X.509 attribute certificate will  be  stored
              to.

   Debugging
       openac  produces  a  prodigious  amount  of  debugging  information.  To do so, it must be
       compiled with -DDEBUG.  There are several classes of debugging output, and openac  may  be
       directed  to produce a selection of them.  All lines of debugging output are prefixed with
       ``| '' to distinguish them from error messages.

       When openac is invoked, it may be given arguments to specify which classes to output.  The
       current options are:

       --debug level
              sets  the  debug level to 0 (none), 1 (normal), 2 (more), 3 (raw), and 4 (private),
              the default level being 1.

EXIT STATUS

       The execution of openac terminates with one of the following two exit codes:

       0      means that the attribute certificate was successfully generated and stored.

       1      means that something went wrong.

FILES

       /etc/openac/serial   serial number of latest attribute certificate

SEE ALSO

       The X.509 attribute certificates generated with  openac  can  be  used  to  enforce  group
       policies  defined  by  ipsec.conf(5).  Use  ipsec_auto(8) to load and list X.509 attribute
       certificates.

       For more information on X.509 attribute certificates, refer to the following IETF RFC:

              RFC 3281 An Internet Attribute Certificate Profile for Authorization

HISTORY

       The openac program was originally written by Ariane Seiler and Ueli Galizzi.  The software
       was  recoded  by  Andreas  Steffen  using  strongSwan's  X.509  library and the ASN.1 code
       synthesis functions written by Christoph Gysin and Christoph Zwahlen.   All  authors  were
       with the Zurich University of Applied Sciences in Winterthur, Switzerland.

BUGS

       Bugs should be reported to the <users@lists.strongswan.org> mailing list.

                                        22 September 2007                         IPSEC_OPENAC(8)